How Do I Keep My Website Safe?

In 2002, PCWorld posed the question, “Are We Living in the Golden Age of Hackers?” A quick search reveals that it has been a very popular question that people are still asking today. Their implication was that, yes, the early 2000s were the Golden Age of Hacking. I would disagree on one premise: hackers are enjoying more success today than ever before.

Case in point: it seems like every week there’s another story in the news. Apple was compromised when employees visited a hacked website. Google Gmail was hacked by mysterious actors in China. Computing monoliths Microsoft and IBM: hacked. Facebook was hacked. Twitter was hacked. Amazon, Wells Fargo, MasterCard and Visa weren’t technically hacked, but their websites were attacked and disrupted. Sony estimated their losses at $171,000,000 when their PlayStation network was hacked.

If the biggest players in technology and the Internet can’t keep their systems safe from the bad guys what hope do the rest of us have?

The unfortunate answer is: ultimately, not much. Given enough time, a dedicated team of experts is probably going to be able to exploit 99.99% of the websites out in the wild blue Internet. The only sure defense against these people is to turn off your computer, unplug the Ethernet cable, lock it in a safe and throw it into the Mariana Trench. If a hacker can compromise that, then I would gladly concede defeat. He earned it.

Some of you may not like the idea of your computer being at the bottom of the ocean. For you, the next best thing to do is to hire your own dedicated (e.g. expensive) team of experts to protect your site. “But I don’t have the money or the desire to hire a team of security experts.” That’s okay because I have good news! You probably don’t need team of elite counter-hackers because the legions of malevolent black-hats probably aren’t after you. That leaves the less motivated hackers for the rest of us.

So what can I do to keep my website safe and secure without emptying my bank account in the process?

Great question. I’m glad you asked.

There are quite a few things to consider when evaluating your online security but every website has two big security concerns. They are:

1. The server the website is running on, and
2. The code that the the server runs in order to display your website to your visitors

Securing Your Server

Most websites out there use a 3^rd party to host their websites and manage their servers. Network Solutions, 1and1 and GoDaddy are all very popular with small business and individuals. Companies with larger budgets might use a managed hosting company like Rackspace or cloud hosting like Windows Azure. (Disclaimer: I have nothing to disclaim. I have no affiliation with any of these companies.)

For the most part, the big name hosting companies all have good track records for security. These companies do have teams of expert monitoring their servers to ensure that they are secure. They may or may not have good track records elsewhere, but thats a different question. If you want to be extra safe (and all of us do, right?) then call up their support desk and ask them a few questions. A little bit of accountability and assurance go a long way.

1. How often do you apply security patches?
2. How long does it take you to apply a security patch after it is released?
3. What would your company do if my website got hacked or compromised? How would you help me restore it back to its normal, working state?

Their answers would provide a good insight on how seriously they take security (and customer service).

If you’re hosting your web server yourself, then you have a lot to do – more than I’m planning on addressing in the scope of this article. You should be asking yourself one question. Why? If you said “money,” you’re wrong. There’s very cheap and even free hosting out there to be had. If you didn’t give a detailed account of how self-hosting fits into your business plan with dedicated processes and personnel, you’re wrong. Hosting is cost-effective, comes in many different flavors and support levels and removes a large burden of maintenance and liability away from you.

Securing Your Code

As long as you have one of the big name hosts, your server’s are in pretty good hands without having to take any additional steps. That leaves your website’s code as the most likely place where hackers will be able to exploit your site. This is where it gets really hairy.

Just as a homebuilder wouldn’t start building a house on a cracked foundation, your web developer shouldn’t start building your website on a platform with security holes. There are heaps of platforms and frameworks to use when building a website. Most of them have very smart people behind them that have spent countless hours, days and years turning them into safe, secure, easy to use products. WordPress, Drupal, Joomla, .NET, Zend, Sitefinity, Comentum, Sitecore, and CakePHP are just a few tools to build upon. There are many, many, many more.

The best way to ensure that your code is safe is to stand on their shoulders.

Think about it like this. We’ll use WordPress as an example, but the argument stands more-or-less for all of the names above. WordPress is a free, open source blogging tool. It has been in development since 2003. At the time of this post, there are 18 people that are responsible for building it. There is a huge community of designers and developers that are working with WordPress to customize it and extend its functionality. If you built your website on top of WordPress, you’re getting a mature platform with 18 people working right now to make your website better and safer for free. Once it is properly set up, you don’t even need your own developer.

Now consider if you built your website from scratch. You can forget about everything I just said. You’re paying a developer for every hour of work they do. If they aren’t running security tests, no one is. If they aren’t patching security holes, they are left open. If they don’t have the expertise to do these things, you have to hire someone who does or risk being compromised.

Which sounds better to you?

Every platform is different. Some are cheap, some are expensive. Some are for individuals and some are for enterprises. The message is the same. When you start off with a secure product that has a team of people working on it to make it better, your website reaps the benefits.

Conclusion

If you want to keep your website safe in an age when even world governments are actively seeking out and attacking websites, you’ve got your work cut out for you. The good news is that unless China is trying to steal your trade secrets or the hacker collective Anonymous disagrees with your politics, you shouldn’t have to worry about your site getting hacked and you wouldn’t be unreasonable to expect that your website be kept safe. There are plenty of precautions that you can put in place to make sure it doesn’t happen.

First, get a host that takes security seriously and will answer your questions about it. Second, make sure that your website is built on top of a secure, strong platform that is constantly being improved upon by smart people. Lastly, when these smart people release updates to your platform, apply them to your website!

What has your experience with website security been? Have you spoken to your host about it? Do you know when the last time a security patch was installed for your site? Let us know in the comments below!